Hey Valdis, > It's more likely that there's one version, making noise and very rarely finding > a box with stupid passwords. It's possible there's another rare version that > tries several stupid passwords and a few old SSH vulnerabilities. Is there > *any* reliable evidence (even a single box) that appears to have been nailed by > a new exploit?
Hm, as of this frauder binary, I have my strong doubts... looked at it, and it's a plain brute forcer / banner grabber which is statically linked against SSH-2.0-libssh-0.1. No magic visible, at least not in the given timeframe, and my gut feeling is that that's it. > > I'll gladly change my mind, but it will take somebody actually finding a > box running a *recent* SSH and had guest/test/and_so_on properly secured, > and the attack *still* got in.... I assume in the aforementioned takeovers other factors were involved. Cheers, J. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
